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CYBERSECURITY 
ann CYBERWAR 


WHAT EVERYONE NEEDS TO KNOW? 


Paul A. Strassmann 
New Canaan Mens Club — January 9, 2015 


¢ From individuals to organized groups. 


¢ Drug cartels, mafias, terrorist cells 
and nation-states. 


RAND Corporation. htto://www.rand.org/pubs/research_reports/RR610.htm! 


¢ Defenders protect 100.0%, all times. 


¢ Espionage succeeds in 0.01% of time. 


Number Internet Devices = 15+ Billions 


E-mail addresses = 2 
Facebook, Twitter, Linkedin = 3 
Personal and work numbers = 2 
Financial Accounts = 4 

Health = 3 

Federal, State, Municipal = 3 
eBay, Amazon = 3 

system ID and badges = 2 


Number of Digital Identities = 50+ Billions 
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Incident rates across monitored industries 


Manufacturing 
Finance and 
insurance 


Information and 
communication 


Health and social 
services 


Retail and 
wholesale 


Categories of incidents 


Sustained 
a Malicious code 
28 ” 3 5% 


Denial of 
Unauthorized Service 
access 9% 
43” = Access or 
Suspicious 
ia credentials abuse 
activity 


= lure 


How breaches occur 
Misconfigured 
system or 

sh 
End-user error 


Undetermined 


Vulnerable code 


Targeted attack, 
exploited 


@) 
3 of victims discovered 
the breach internally 


Down from 37% in 2012 


Oo 
67 of victims were notified 
by an external entity 


http://www.fireeye.com/blog/corporate/201 4/04/annual-m-trends-report-looks-beyond-the-breach.html 
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median number of days that 
threat groups were present on a 
victim's network before detection 


L 14 days less than 2012 


Longest Presence: 2,287 days 


http://www.fireeye.com/blog/corporate/201 4/04/annual-m-trends-report-looks-beyond-the-breach.html 
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|i) Backdoors — 


Federal Bureau 
of Investigation 


Homeland 
security 


JOINT INDICATOR BULLETIN 


Distributed as TLP: GREEN 
Reference Number: JIB-14-20199 


Destructive Malware 09 December 2014 


DISCLAIMER: This bulletin is provided “as ts" for informational purposes only. The U.S. Government (USG) 
does not provide any warranties of any kind regarding arry information contained within. USG does not endorse 
any commercial product or service referenced in tits advisory or otherwise. This document ts distributed as TLP: 


GREEN. Recipients may share TLP: GREEN information with peers and parter organizations within their 
sector or community, but not via publicly accessible channels. For more information about TLP, see 


DHS and FBI will actively update this document as more information becomes available. 


Summary 


This Joint Indicator Bulletin (JTB)’ is the result of efforts between the Department of Homeland 
Security (DHS) National Cybersecurity and Communications Integration Center 
(NCCIC)/United States Computer Emergency Readiness Team (US-CERT) and the Federal 
Bureau of Investigation (FBI) to highlight known cyber threat indicators. 


* Typical large firm receives 50,000 intrusion/day 


¢ Pentagon reports 10 million attempts/day 


¢ Nuclear Security Admin: 10 million hacks/day 


SOURCE (March 8, 2013): 
http://www.nextgov.com/cybersecurity/2013/03/how-many-cyberattacks-hit-united-states-last-year/61775/ 


¢ New Malicious Web Domains/day 74,000 


¢ Web Attacks Blocked/day 247,350 

¢ Bot Infections/day 3.4 
millions 

¢ Avg. number of stolen identities 604,826 


* http:/Awww.symantec.com/- 69 million sensors, 2013 


U.S. Critical Infrastructure 


Chemicals 
Communications 
Critical Manufacturing 
Dams 

Defense Industrial Base 
Emergency Services 
Energy 

Financial Services 


Food and Agriculture 
Government Services 
Pharmaceuticals 
Public Safety 

Public Health 


Information 
Technology 


Nuclear Reactors 
Transportation 


Source of Losses 


¢ Cyber espionage 

¢ Cyberthett 

¢ Cybercrime 

¢ Loss of sensitive business information 
¢ Service and employment disruption 

¢ Insurance, and recovery costs 

¢ Competitive damage 

¢ Reputational damage 

¢ Loss of intellectual property 

¢ Loss of intangible assets 


Sources of Cyber Attacks 


¢ Hactivists 

¢ Theft by Criminals 

¢ Organized Crime 

¢ Insider Compromises 
¢ Economic Espionage 
¢ Information Warfare 


« Government 


¢ Government proxies 


U.S. Costs of Cyber Crime 


¢ Estimated Cost: $100 billion to $500 billion 


¢ Loss of 500,000 jobs 


¢ Loss to national security 


SOURCE: https://csis.org/event/estimating-cost-cyber-crime-and-cyber-espionage 


Pixel Tracker Bug Advertised (november 15, 2014) 


¢ Available for private database of 140,000. 


¢ Delivers e-mails, passwords, usernames and 
private messages of all the members. 


¢ Price: $90 via BitCoin. 


¢ Countermeasures: Disable Browser Feature 


INFORMATION WARFARE 
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Major Information Warfare Programs 


stuxnet 
Aurora 
Flame 
Red October 
DarkHotel 
Uroburos 


Tne Mask 


Regin 


Encrypted 
container 


Decrypt & execute next stage 


STAGE 2 


Loader 
Decrypt & execute next stage 


STAGE 3 
Kernel 
Framework 


STAGE 4 
User 


Framework 


STAGES STAGES ». STAGES 
Payload ; Payload : ; Payload 
Module l Module 2 Module N 


Example of a Simple Attack 


SEA targets a 
news agency with 
initial phishing 
emails 


SEA actors log 
into webmail 
accounts using 
stolen employee 
credentials 


SEA sends second 
round of emails 
from internal 
email accounts 


SEA uses valid 
credentials from 
the phishing 
campaign to 
access the 
news agency's 
network and to 
authenticate 


SEA defaces the 
news agency's 
public website, 
publishes 
unauthorized 
articles and tweets 
from the agency's 
websites and 


News agency 
ISSUeS 4 
network-wide 
password reset 
that successfully 
blocks the SEA’s 
25 attempts to 
regain access 


Commercial Attack Tools Available for $10 to $50,000 
Zeus: Cybercrime Suppliers in Russia 
SpyEye: From Malaysia 

Bugat v2: Origin unknown 

Gozi Prinimalka Blitzkrieg: Russian 


Carberp: Priced up to $40,000 for kit 


CYBER DEFENSES 


Costs of Security Exceed the Costs of Risks 


Security Breaches 


Security Spend 


IT Spend 


Distribution of Malware 


Malware 


¢ Certified Definitions* 23,847,280 


¢ Additions During August 2013 136,051 


te: /Iwww.symantec.com/security_response/definitions/certified/ - 8/17/2013 
* IDC #242346 


(&) US-CERT 


aim a UNITED STATES COMPUTER EMERGENCY READINESS TEAM 


HOME ABOUT US PUBLICATIONS ALERTS AND TIPS RELATED RESOURCES a 


US-CERT strives for a safer, stronger Internet for all 
Americans by responding to major incidents, analyzing 
threats, and exchanging critical cybersecurity 
information with trusted partners around the world. 


National Vulnerability Database 


A/Aa Sponsored by ps a | NIST 
* y DHS National Cyber Security Division/US-CERT : National Institute of 


Standards and Technology 


National Vulnenay ity Database 


aUOITaNNG yuinerabuty management, ity measurement, ahs compliance ECING 


62,829 Vulnerabilities, June 2014 


Wildfire Core Detection Techniques 


Suspicious files 
collected by all 
security 


platforms 


Filter Benign 


Filter out known good 


Static analysis of PDF, 
Microsoft Office, Java 
and Android APKs 


Dynamic analysis 


‘Embed ded shell-co de 


Scale analysis without Discover unknown threats based 
execution on 130+ malicious behaviors 


& a 
Develop protections Develop protections 


How to Defend a Point-of-Sale System 


PoS Network Corporate Network 


PERSONAL PROTECTION 


E-mail: Strassmann to Hollstein and Messert 


for 11/14 introduction 


Paul Strassmann <pau!l@strassmann.com> @ Nov 11 
to Bchollstein, jtmessert, econgieton ~ 


Would appreciate posting the attached. 
Thanks, Paul 


Investment Club 


January 5, 2015: 


SMC Portfolio of Eight Stock Picks 


P Announcemenet ... | 4 
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Sent to Hollstein and Messert 


-<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> 
<title>Strassmann.com Mail</title><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="google" 
value="notranslate"><meta name="application-name" content="Strassmann.com Mail"><meta name="description" 
content="Google&#39;s approach to email"><meta name="application-url" 
content="https://mail.google.com/mail/u/0"><meta name="google" content="notranslate"><link rel="canonical" 
href="https://mail.google.com/mail/" /><link rel="shortcut icon" 
href="https://www.google.com/a/strassmann.com/images/favicon.ico" type="image/x-icon"><link rel=“alternate 
type="application/atom+xml" title="Strassmann.com Mail Atom Feed" href="feed/atom"><script 
type="text/javascript">// <![CDATA[ 
var GM_START TIME=(new Date).getTime();var GM_SUPPORTED_IE VERSION="8.0";var 
GM_SUPPORTED_GECKO_VERSION="2.0.0";var GM_MOOSE_URL="?ui\x3dhtml\x26zy\x3db";var GM_NO COOKIE URL="? 


" 


_view\x3dnocookies";var GM_NO_ACTIVEX_URL="?view\x3dnoactivex";var GM_APP_NAME="Strassmann.com Mail";var 


GM_ACTION_TOKEN="AF6bupN1EEy0n9dJVLJaDSzn6aroz4sJbA"; 

// )}></script><script type="text/javascript">// <![CDATA[ 

(function(){try{var d=this,e=function(a){var b=typeof a;if("object"==b)if(a){if(a instanceof 
Array)return"array";if(a instanceof Object)return b;var c#=Object.prototype.toString.call(a);if("[object 
Window] “==c)return"object";if("[object Array]"==c||"number"==typeof a.length&&"undefined"!=typeof 
a.splice&&"undefined"!=typeof a.propertyIsEnumerable&&!a.propertyIsEnumerable("splice"))return"array";if(" 
[object Function]"==c| | "undefined"!=typeof a.call&&" undefined" !=typeof 
a.propertyIsEnumerable&&!a.propertyIsEnumerable("call"))return"function"}else return"null"; 

else if("function"==b&&"undefined"==typeof a.call)return"object";return b},h=Date.now| | function( ) {return+new 


‘Date};var k=String.prototype.trim?function(a){return a.trim()}:function(a){return a.replace(/*[\s\xa0]+| 


{\s\xa0]+$/g,"")},mefunction(a,b){return a<b?-l:a>b?1:0};var p;e:{var qed.navigator;if(q){var 
r=q.userAgent;if({r){p=r;break e}}p=""}var 
t=-1l=p.indexOf ("Opera") | |-1!=p.indexOf("OPR"),u=-1!=p.indexOf ("Trident") | |-1!=p.indexOf("MSIE"),v=-1!=p.inde 


_xOf ("Gecko") &&-l==p.toLowerCase().indexOf("webkit")&& 


!(-ll=p.indexOf ("Trident") | |-1!=p.indexOf("MSIE")),w=-1!=p.toLowerCase().indexOf("webkit"),x=function() {var 
a="",b;if(t&&d.opera)return a=d.opera.version, "function"==e(a)?a():a;v?b=/rv\:(([*\)s]4+)(\))3)/su? 
b=/\b(?:MSIE|rv)[: ]({*\):]+)(\)|¢)/:w6&(b=/WebKit\/(\S+)/);b&&(a=(a=b.exec(p))?a[1]:"");return u&&(b= 
(bed.document )?b.documentMode:void 0,b>parseFloat(a))?String(b):a}(),y={},z=function(a){var b;if(!(bey[a])) 


| {b=0;for(var c#k(String(x)).split("."),n=k(String(a)).split("."),A*Math.max(c.length,n.length), 


Hello Paul, 
Order # 1436797168 has been placed on a brief hold until we hear from you. 


Verify here and your order will be shipped 


We will send you a tracking number once you confirm. 
This is in regards to your Black Friday Perk Deals 


Private key will be 
destroyed on 


1/6/2015 


Checking wallet. 


Received: 0.00 BTC 


Your personal files encryption produced on this computer: photos, videos, 
documents, etc. Encryption was produced using a unique public key RSA-2048 
generated for this computer. 


To decrypt files you need to obtain the private key. 


The single copy of the private key, which will allow to decrypt the files, located 
on a secret server on the Internet; the server will destroy the key after a time 
specified in this window. After that, nobody and never will be able to restore 
files... 


To obtain the private key for this computer, which will automatically decrypt 
files, you needto)pay-1-.00 bitcoin (~ 299 USD). 


You can easily.delete this Software, But know that without it, you will never 
be able to get your original files back. 


Disable your antivirus to prevent the removal of this software. 


For more information on how to buy and send bitcoins, click "Pay with Bitcoin” 
To open a list of encoded files, click "Show files” 


Do not delete this list, it will be used for decryption. And do not move your files. 


Show files | 


What to Do for Partial Protection 


Multi-device Mix & Match ' 


Norton” Security 


Protect your data and devices from 
viruses, online threats, identity theft 
financial scams. 


© Norton™ Security ‘year $7$ 


© Norton™ Security ‘year ¢ge¢ 
with Backup? 


DOWNLOAD ~~~ 
McAfee Total Protection 2015 
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"Save $45.00 


Use on up to 3 computers 


Award Winning Protection 
GoEmD 


What to Do 


¢ Never click on unknown e-mail attachment 
¢ Never download application from uncertified source 
e Never accept offers from unverified senders 


¢ Always back up your systems 


Optional: 
— Switch to G-mail for two factor authentication 


— Switch to Apple 


Gmail Two Factor Authentication 


Google 


2-Step Verification 


A phone call with your code has , 
been made to: (***) ***-*"05 


670894 


Verify 


~~ Remember this computer for 30 days. 


Advice 


INTERNET is vulnerable 


¢ You may be “hacked” 


¢ Self-protection: set up backup computer 


¢ Security services available 


